Voith IT Solutions 



Self defending networks? 

What we do @Voith to protect our network. 

Troopers08, 23.-24.03.08 Munich, Germany 



Content 


Global Voith IT Organisation 
Self defending networks 
Best Practise @ Voith 

IT Security Organisation 
Technical Basis 
Security Processes 


Conclusion 


Voith IT Solutions 


Author 


Rolf Strehle 

CEO ditis Systeme 
CISO Voith AG 
IS027001 Auditor 

ditis Systeme 

The Security Company 
Carl-Schwenk-Str. 4-6 
D-89522 Heidenheim 

Phone: +49 7321 91770 
E-Mail: rolf.strehle@ditis.de 

Ein Unternehmen des Voith Konzerns 



3 |Troopers08 - Self Defending Networks | 23.04.2008 


Scope of IT Security 

Global Voith IT Organisation 


Voith IT Solutions 




„voir 

Hyderabad 


• Regional Support Center • IT-Point 

w ^ 


o Locations (example) 


% „VOIC“ 

2 Shanghai 


W 

VOIS , 

Heidenheim • 


VOIE 

St. Polten 


VOIN 


Wilson 




„VOIL 

Sao Paulo 


1 1 1 1 1 

j VOIE 

| VOIN 

1 V0IL J 

VOII /|| 

VOIC 


VOIS 


West Europe East Europe North America South America India 


China 


VOH I 
ditis 


app. 62 M€ Revenue 
app. 320 Employees 


xd Virtual entity 
^ Legal entity 
Profit Center 
Cost Center 











4 |Troopers08 - Self Defending Networks | 23.04.2008 



Self defending networks 

What and Why 
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Self defending networks 

Goals of NAC 
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Because NAC represents an emerging category of security products, its definition is both evolving and 
controversial. The overarching goals of the concept can be distilled to: 


• Mitigation of zero-day attacks 

The key value proposition of NAC solutions is the ability to prevent end-stations that lack antivirus, 
patches, or host intrusion prevention software from accessing the network and placing other computers 
at risk of cross-contamination of network worms. 

• Policy enforcement 

NAC solutions allow network operators to define policies, such as the types of computers or roles of 
users allowed to access areas of the network, and enforce them in switches, routers, and network 
middleboxes. 

• Identity and access management 

Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments 
attempt to do so based on authenticated user identities, at least for user end-stations such as laptops 
and desktop computers. 


Source: Wikipedia 
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Self defending networks 

Concepts 
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• Pre-admission and post-admission 

There are two prevailing design philosophies in NAC, based on whether policies are enforced before or after end- 
stations gain access to the network. In the former case, called pre-admission NAC, end-stations are inspected prior to 
being allowed on the network. A typical use case of pre-admission NAC would be to prevent clients with out-of-date 
antivirus signatures from talking to sensitive servers. Alternatively, post-admission NAC makes enforcement 
decisions based on user actions, after those users have been provided with access to the network. 


• Agent versus agentless 

The fundamental idea behind NAC is to allow the network to make access control decisions based on intelligence 
about end-systems, so the manner in which the network is informed about end-systems is a key design decision. A 
key difference among NAC systems is whether they require agent software to report end-system characteristics, or 
whether they use scanning and network inventory techniques to discern those characteristics remotely. 


• Out-of-band versus inline 

In some out-of-band systems, agents are distributed on end-stations and report information to a central console, 
which in turn can control switches to enforce policy. In contrast the inline solutions can be single-box solutions which 
act as internal firewalls for access-layer networks and enforce the policy. Out-of-band solutions have the advantage 
of reusing existing infrastructure; inline products can be easier to deploy on new networks, and may provide more 
advanced network enforcement capabilities, because they are directly in control of individual packets on the wire. 
However, there are products that are agentless, and have both the inherent advantages of easier, less risky out-of- 
band deployment, but use techniques to provide inline effectiveness for non-compliant devices, where enforcement is 
required. 


• Remediation, quarantine and captive portals 

Network operators deploy NAC products with the expectation that some legitimate clients will be denied access to the 
network (if users never had out-of-date patch levels, NAC would be unnecessary). Because of this, NAC solutions 
require a mechanism to remediate the end-user problems that deny them access. 
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Self defending networks 

Standards? 
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Self defending networks 


Best Practise @Voith 
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• We do not use NAC 


As for today, there are a lot of good reasons not to rely on self defending networks: 

Expensive 

Incompatible 

Complex 

No mature technology 

The “real thread” is elsewhere (Social Engineering) 


We use the combination of existing and proven technologies to defend our worldwide corporate network. 


The most complex thread is people - so we have to enable our own staff to face this reality. 



We do defend our own network 


• We enable people to think “IT security” 


So how do we achieve this? 
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IT Security Overview 


3 Tier Security Model 
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IT Security Technical Basis 

Voith Security Toolbox 
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IT Security Technical Basis 

Voith Anomaly Detector 
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IT Security Technical Basis 
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■ 


rity Processes 

■ 

1 

Technical Basis 

■ 




Voith IT Solutions 


EHe Edit View History Bookmarks loots bLelp 


^ llttp:J/mrguQ115.eurtil..velth.riet:8(ffi(ycfpOrtal/laydtJt?pJ_ld=PUB.1006.5G#p_49 


k El’ si 


.monitoring u Intranet f^spieget © liaise W camputerwoche LDAP AuthenQf Icatl .. . © LDAP Authentlflcaiti-.. L4 Uferay Community &.J Dltls Systeme Gmb... L; Recent Alerts 


,Oltls SysUm4 ■ Homo 

d it i s 


y Ll HQ Login 


lr>clderrt_edli.fmg (PNG Ima... 


, Dili s Systems - JIRA Issue T. . . 


Hfrrw - My Account - S*t|i' Out 
Add Content - Page- Setlhgi 
My Pikes. , Sscunty | Pubtel 


ZB 


Navurat+ois 


Alerts vidua 1 FW 
AJarls vidsu2 DMZ 
AJcrtovidsfla HDH 
Alerts vidafla VPN 
Base vidnD2 
Bane vids03 
Base r»tg 1*0t 

Osain mro 


Bdflids 


Categories Recent Posli StalisGcs 

e*S Catenary 


Sdjrch C 4i«-q 


CKtgory 


Security Topics 

PMl «fl |At Utlitj 0 


C-^tctlortcB TDrtada P«ls 

3 1 


QB l3 


Basic Analysis and Security Engine (BASE) vids03 


Hume | Search 


| Each J 


Meta Criteria 

any 

IP Criteria 

any 

Layer 4 Cri teria 

none 

Payload Criteria 

any 


Summary Statistics 


* Sensors 

* Unique Alerts ( classifications ) 
Unique addresses Source | DesMnatlou 
Unique IP links 

* Source Pod TCP | UDP 

* Destination Port: TCP | UDP 
Time profile Cf alerts 


Displaying alerts 1-13 qf 420909 total 


ID < Signature > 

< Timestamp > 

-- Source Address > < Dest. Address > 

< Layer 4 Proto > 

r #Q-|>lfl43J5&) [local] [snort] BLEEDING-EDGE 
POLICY TLSfSSL Encrypted 
.Applitarton Data on Unusual Port 

2007-04-01 

00:17:07 

172.21,143.52:4667 172.21.50.34 5061 

TCP 

f~~ ff1-|3-.3&4fl3M) [local] [snort] BLEEDING-EDGE 
POLICY TLSrSSL Encrypted 
Application Data «i unusual Port 

2007-04-01 
Oft 17: 11 

172.27.250.50:2361 172.21.41 .1 55:4G7D 

TCP 

r «Kl«4®MBHIocal] [snort] BLEEDING-EDGE 
POLICY TL5I55L Encrypted 
Application Data on Unusual Port 

2007-04-01 

0O;17;51 

172.21.1 63.1 5:2301 1 72.21.41 .1 55:1 705 

TCP 

#J^W4W71) [snort] Xlfcnh2s1s4e X-Un*2StBle Isnglh 
greater man 1024 

2007434-01 

00:10:11 

172,21 .49. 1 96:22262 172.25.137,202 25 

TCP 


jttientlflcatl... ^ LJferay Community L- Dills Systems Smb... l, Recent Alerts 


Jiiil 


Imilumlml 



Monitoring 

Team 


*1 k |GI-|siii3s 


33 


Hon-w ■ My AcKturfl ■ Sion Out 
Add C anient - Pnge Setlngs 
My P-nces ■ Martin Dniir (Prr.ntil 


Udine NSW 4*40 
S-i™ Chart te DsahbtardQ 
Bach to Resource ± 

Bywrl ISC9V0 



iiiil 


k 


Ftwourta £ Conferal Action Kay: 
Reaeiiru: ™ nvju(Hi5.«if ol .voNi.iwI 


C4i‘1M(MT 02:30:00 PM to G4'212aG7 02:13:00 PM 
- Edsl Range... 










13 |Troopers08 - Self Defending Networks | 23.04.2008 



IT Security Technical Basis 
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IT Security Technical Basis 
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IT Security Technical Basis 


Secure Data Storage 

Data Leakage Prevention 




Technical Basis 


FFFH 



Voith IT Solutions 


Sic here Datenspeicherung 


i: i 






1^ 




s a 

70 a. 


I y 


0> (offer) 


c 

m 


to 

< 

< 


t= 

D 

f 

k 

■y. 

T 

■a 

□i 


ZT 

U 

e 

■R 

Q 

$ 

n 

O 

f 

k 

— 

s 

£ 

u* 

0? 

& 

r 

5T 

zj 

■:o 


□ 

a 

3 

D 

p; 

57 

ffl 

< 

o 



| 





2 











Kfiins besonderen Tools notwendig 



< 

< 

m 


a 

£ 

jh; 

•n 


V 


=r 


a 

=1 

£ 

o 

CT 

£ 




a 






1 {nur fur den inter nen Gebrauch) 


co 

< 

< 

■n 


o 


zr 

CJ 

Q 

S, 

? 

a, 

T 

1 

p 

ty> 

ip 

S 


I 

o 

V 

2 

D 

1 

v> 

57 

o 

5 


” 

3 

F 

<: 

i*v 


s 





z 


O 




2 (vertraul ich) 



3 (strong vertraulich) 


< 

n 

c 

o 

a 

ff 

CO 

ip 

S 

o 

i 

pi 

o 

2 

jy 

< 

o 


S 


2 


□ 



PKI llnlcnsluliing 
voirangig zu benutzandefl Tod 

| CcsJandldl dea MkatrtOll tfelricbs-systerra 
| noch rich: eingriiihit 





































- Self Defending Networks | 23.04.2008 


IT Security Overview 

Security Proc 


Voith IT Solutions 


IT Security Organisation 


Security Processes 


IT Security 
Management 


00 

o 


CD 

Q. 

O 

O 




Incident Management 



Change Management 

1 


Systems Monitoring 


1 

Security Audits 



Risk Management 










17 |Troopers08 - Self Defending Networks | 23.04.2008 


IT Security Processes 

Vulnerability Management 
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Goal - Proactive health check of all network 

components in the Voith corporate net 

Solution: Vulnerability Scanning and Reporting 



■ Regular network scan (appliance based) 

■ Regular password quality scan (AD based) 

■ Integration in existing ITIL and ITSM processes 

- Monthly Reporting 

- Central Monitoring inside IT Security Team 


Technology: Qualys, Nessus 


CERT 
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IT Security Processes 

Global Monitoring 
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■ 24x7 hours monitoring in own global support 
organisation 

■ Incident management and trouble shooting 

■ Pro-active management of defined SLA’s 



Global 

Support 
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IT Security Processes 

Awareness Campaign 
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Conclusion 
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■ We have implemented a solid Security Basis for Voith IT worldwide 

■ We have a basic security framework in place (IT-Risk Management 
and ISMS according to ISO 27001) 

■ We have a very comprehensive Security Toolkit to support the 
business processes of our customers 

■ The main task is to implement the toolkit and organizational directives 
in the business processes of our customers 

■ We do not trust self defending networks - we defend our network! 

■ Security knowledge is very complex and rapidly changing, therefore 
we share the knowledge with other companies by outsourcing to 
www.ditis.de 



Thank you 
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